Contacts

Questions related to this curriculum should be sent to John Steven, who is the Northern Virginia chapter leader.

Registration

Classroom’s size estimate for hands on: 30 stations max. Physical number of students can be larger as people may want to pair up. But we may have a hard limit of 40 students.

Registration for sessions will be on first come and first served basis. Although we will give preference to people who show regularity and sign up for many sessions. Students will have to fill up a small interview before the session so the instructors get to know their skill level and motivation. Students are required to meet the prerequisites for the sessions that they sign for. We ask to the students to bring their laptop in the hands on session, and to have software such as SSH pre-installed. Basic knowledge about code is also required in all sessions, except the last one. We will start registration by email mid-June or earlier.

Student’s prerequisites

All students will need to bring their own laptop and use them as client to connect to the host machines; we will support windows users, MacOS and Unix. They should have at least 2 Gig of Ram, and have a version of SSH installed.

Tool license and Vendor IP

Vendors will need to provide tools license for the hands on sessions. This is NOT a competition. The purpose is NOT to compare tools, different source code will be picked for each vendor. Vendors are not allowed to interfere with other vendors’ session or demo. Questions related to tool comparison between the vendors are out of scope. Vendors are free to present features and particularities exclusive to their tools.

Ounce Lab will demo its tool and scan Webgoat. We will have an open discussion session after the demo for students to ask questions to the vendor. After this course, student should be able to scan code by their own. Student should feel free to bring code to scan.

Session 5: Customization Lab for Ounce Lab, September 2009 (date to be confirmed)

Speaker: Nabil Hannan (Cigital)

Time: 3 hours

Logistics: Hands on setup as in logistic section.

Location: TBD

Classroom size: 30 stations, 40 attendees max

Prerequisite: Attended session 2

Nabil will train the students on how to customize the Ounce Labs 6 tool
Agenda (draft):

Code Review and Static Analysis with tools

This article will answer the following questions about secure code review and use of static analysis tools:

What are static analysis tools and how do I use them?

How do I select a static analysis tool?

How do I customize a static analysis tool?

How do I scale my assessment practices with secure code review?

Organizational

How do I scale my assessment practices with secure code review?

Implementing a static analysis tool goes a long way to providing a force multiplier for organizations. The following presentation discusses a comprehensive set of steps organizations can undertake to successfully adopt such tools. The presentation discusses who should adopt the tool, what steps they should take, who they should involve, and how long/much it will cost.Implementing a Static Analysis Tool.ppt
For those with existing assessment practices involving secure code review (whether or not those practices leverage tools) the question often becomes, "I can review an application, but how do I scale the practice to my entire organization without astronomic cost?" The following presentation addresses this question:
Maturing Assessment Through Static Analysis

Customization

People who believe that the value of static analysis is predominantly within their core capabilities "out of the box" come up incredibly short. By customizing your chosen tool you can expect: